Blocking 239.255.255.250



  • Why would I be seeing this? I know what 239.255.255.250 is but don't understand why pfBlocker is blocking it. Shows it doesn't even match a list. I am have upgraded to pfSense 2.4 and it may have started right at that time but I can't say that 100% for sure.


    ![pfBlocker IPv4Malware.PNG](/public/imported_attachments/1/pfBlocker IPv4Malware.PNG)
    ![pfBlocker IPv4Malware.PNG_thumb](/public/imported_attachments/1/pfBlocker IPv4Malware.PNG_thumb)



  • "no match" is showed when pfBlockerNG doesn't find the IP in any table.

    That can happens after a Force/Cron update ran and the IP is no longer present in the table.



  • How would I go about clearing that? It's been happening for a couple weeks now actually. I've forced update/reload and the firewall has been rebooted. I have also uninstalled/reinstalled pfBlocker with "Keep Settings" unchecked.



  • As long as it is in present FW Alerts, it will display in the pfBlockerNG Alerts tab

    If the block are still occurring, then you have to figure out which table cause the block
    Either look at the tables with the pfBlockerNG Logs tab

    or use a command prompt

    grep "^239." /var/db/pfblockerng/deny/*


  • Moderator

    By any chance are you using the "ThreatCrowd" feed?  I have seen too many FPs with that list…

    https://www.threatcrowd.org/feeds/ips.txt
    


  • @RonpfS:

    As long as it is in present FW Alerts, it will display in the pfBlockerNG Alerts tab

    If the block are still occurring, then you have to figure out which table cause the block
    Either look at the tables with the pfBlockerNG Logs tab

    or use a command prompt

    grep "^239." /var/db/pfblockerng/deny/*

    I did this and return nothing yet the 239.255.255.250 still showing up on the pfblocker with "no match".  Any idea where it is from?



  • It is SSDP. 239.255.255.250:1900 UDP
    I created a LAN rule to drop and not log those packets and it cleared up the alerts.

    ![Screenshot (13).png](/public/imported_attachments/1/Screenshot (13).png)
    ![Screenshot (13).png_thumb](/public/imported_attachments/1/Screenshot (13).png_thumb)



  • I should also note that the SSDP traffic was coming only from my DirecTV boxes, and it was really annoying.
    So I also created WAN rules for each specific address to block and not log.
    Granted, I am very new to PFSense and pfBlockerNG, and these folks have been AWESOME to help me figure stuff out, and what I have done might not necessarily work in your case.

    ![Screenshot (14).png](/public/imported_attachments/1/Screenshot (14).png)
    ![Screenshot (14).png_thumb](/public/imported_attachments/1/Screenshot (14).png_thumb)



  • @BBcan177:

    By any chance are you using the "ThreatCrowd" feed?  I have seen too many FPs with that list…

    https://www.threatcrowd.org/feeds/ips.txt
    

    I am seeing more of these and yes it is from the threatcrowd list from what i can see on my system.

    However, i did add to suppression and it is still showing. :(

    And yes, i am seeing allot of possible FP from that list also.

    Thx!


  • Moderator

    I have had poor results with that Feed… I'd disable due to the FPs in the feed...